CVE-2023-42629

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.

Published: Oct 17, 2023
Updated: Nov 16, 2025
CVE: CVE-2023-42629
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
liferay / digital_experience_platform	7.4-update34	7.4-update34.x
liferay / digital_experience_platform	7.4-update1	7.4-update1.x
liferay / digital_experience_platform	7.4	7.4.x
liferay / digital_experience_platform	7.4-update36	7.4-update36.x
liferay / digital_experience_platform	7.4-update41	7.4-update41.x
liferay / digital_experience_platform	7.4-update52	7.4-update52.x
liferay / digital_experience_platform	7.4-update50	7.4-update50.x
liferay / digital_experience_platform	7.4-update21	7.4-update21.x
liferay / digital_experience_platform	7.4-update62	7.4-update62.x
liferay / digital_experience_platform	7.4-update67	7.4-update67.x
liferay / digital_experience_platform	7.4-update48	7.4-update48.x
liferay / digital_experience_platform	7.4-update76	7.4-update76.x
liferay / digital_experience_platform	7.4-update82	7.4-update82.x
liferay / digital_experience_platform	7.4-update83	7.4-update83.x
liferay / digital_experience_platform	7.4-update84	7.4-update84.x
liferay / digital_experience_platform	7.4-update85	7.4-update85.x
liferay / digital_experience_platform	7.4-update81	7.4-update81.x
liferay / liferay_portal	7.4.2	7.4.3.88
liferay / digital_experience_platform	7.4-update86	7.4-update86.x

Vulnerability Database

324,311

CVE-2023-42629

Deep Security Visibility Without the Complexity